Our Blog

Use Metasploit to Verify Rails is Secured from CVE-2013-0156

By Brian Buchalter
January 10, 2013

On January 8th, 2013 Aaron Patterson announced a major security vulnerability on the Rails security mailing list, affecting all releases of the Ruby on Rails framework. This vulnerability allows an unskilled attacker to execute commands remotely on any unpatched Rails web server. Unsurprisingly, it’s getting a lot of attention; Ars Technica estimates more than 200,000 sites may be vulnerable. With all the hype, it’s important to separate the facts from the fiction and use the attacker’s own tools to verify your site is secure.

Within 36 hours of the announcement of CVE-2013-0156, the developers at Rapid7 released a metasploit exploit module. Metasploit lowers the barriers to entry for attackers, making the whole process a point and click affair with a slick web GUI. Fortunately, the Rails security team has provided many easy to implement mitigation options. But, how do know you’ve really closed the vulnerability, particularly to the most automated and unskilled attacks? No better way than to try and exploit yourself.

It’s best to scan your unpatched site first so you can be certain the scan is working as expected and you don’t end up with a false positive that you’ve eliminated the …

Conversion Tracking via JavaScript

By Steph Skardal
January 8, 2013

Most analytics conversion tracking is done these days with JavaScript or invisible pixel requests on the page that indicates a user has reached a conversion event, such as the receipt page. For example, Google Analytics conversion code might look like this on the receipt page:

_gaq.push(['_setAccount', 'UA-XXXXX-X']);
_gaq.push(['_trackPageview']);
_gaq.push(['_addTrans',
   '1234',           // transaction ID - required
   'Womens Apparel', // affiliation or store name
   '28.28',          // total - required
   '1.29',           // tax
   '15.00',          // shipping
   'San Jose',       // city
   'California',     // state or province
   'USA'             // country
]);
_gaq.push(['_addItem',
   '1234',           // transaction ID - necessary to associate item with transaction
   'DD44',           // SKU/code - required
   'T-Shirt',        // product name
   'Olive Medium',   // category or variation
   '11.99',          // unit price - required
   '1'               // quantity - required
]);
_gaq.push(['_trackTrans' …

Company Update January 2013

By Phineas Jensen
January 4, 2013

With the busy holiday season just behind us, we haven’t had as much time to write blog posts about what we’ve been doing in the past few months. So here’s an update on some of our latest projects:

• Brian Buchalter has been implementing new features for of a major release of Collaborative Software Initiative’s open source product, TriSano, which provides case and outbreak management, surveillance and analytics for global public health.

• Dave has worked on deepening our contacts with content providers and agencies using or interested in using the Liquid Galaxy platform. Recently back from Japan, Dave sold a Liquid Galaxy system to a research group in Kyoto.

• David has been working on an HA (highly available) PostgreSQL database system with automatic failover, dynamic node creation/population, and configuration synchronization.

• Greg Sabino Mullane has been speeding up slow queries, debugging pg_bouncer problems, expanding the abilities of Bucardo, and many other PostgreSQL-related activities.

• Jeff has been working on some major updates to the HydroPool site, including adding a set of “parts” products from an external supplier, with an interface that displays the schematic …

Paper Source: The Road to nginx Full Page Caching in Interchange

By Steph Skardal
January 3, 2013

Background & Motivation

During the recent holiday season, it became apparent that some efforts were needed to improve performance for Paper Source to minimize down-time and server sluggishness. Paper Source runs on Interchange and sells paper and stationery products, craft products, personalized invitations, and some great gifts! They also have over 40 physical stores which in addition to selling products, offer on-site workshops.

Over the holiday season, the website experienced a couple of instances where server load spiked causing extreme sluggishness for customers. Various parts of the site leverage Interchange’s timed-build tag, which creates static caches of parts of a page (equivalent to Rails’ and Django’s fragment caching). However, in all cases, Interchange is still being hit for the page request and often the pages perform repeated logic and database hits that opens an opportunity for optimization.

The Plan

The long-term plan for Paper Source is to move towards full page nginx caching, which will yield speedily served pages that do not require Interchange to be touched. However, there are several code and configuration hurdles that we have to get over first, …

Oceanographic Museum of Monaco Liquid Galaxy

By Benjamin Goldstein
December 31, 2012

In December End Point installed a Liquid Galaxy at the spectacular and renowned Musée Océanographique de Monaco, which is breathtakingly situated on a cliff overlooking the Mediterranean. The system, donated by Google, will be officially presented on January 21st to H.S.H. Prince Albert II of Monaco, who is the Honorary President of the Oceanographic Institute of which the museum is a major part.

End Point set up and configured the system. Our expertise was also called on by Google to create and adapt Google Earth Tours focused on the world’s oceans, including a tour about Ocean Acidification. In addition, End Point engineers developed a customized panoramic photo viewer for the remarkable Catlin Seaview Survey panoramas, which display and provide a baseline dataset for the earth’s coral reefs.

Many thanks are due to Jenifer Austin Foulkes, Google’s Ocean Program Manager, and to Jason Holt of Google for their work in supporting this project.

It is difficult to speak highly enough about the Musée Océanographique de Monaco. Prince Albert I of Monaco was an oceanographer himself and created the museum in 1901 with a vision of bringing art and ocean science …

Piggybak: End of Year Update

By Steph Skardal
December 27, 2012

Over the last few months, my coworkers and I have shared several updates on Piggybak progress (October 2012 Piggybak Roadmap , November 2012 Piggybak Roadmap Status Update). Piggybak is an open source, mountable as a Rails Engine, Ruby on Rails ecommerce platform developed and maintained by End Point. Here’s a brief background on Piggybak followed by an end of year update with some recent Piggybak news.

A Brief Background

Over the many years that End Point has been around, we’ve amassed a large amount of experience in working with various ecommerce frameworks, open source and proprietary. A large portion of End Point’s recent development work (we also offer database, hosting, and Liquid Galaxy support) has been with Interchange, a Perl-based open source ecommerce framework, and Spree, a Ruby on Rails based open sourced ecommerce framework. Things came together for Piggybak earlier this year when a new client project prompted the need for a more flexible and customizable Ruby on Rails ecommerce solution. Piggybak also leveraged earlier work that I did with light-weight Sinatra-based cart functionality.

Jump ahead a few months, and now Piggybak is a strong base for …

Find your Perl in Other Shells

By Mark Johnson
December 26, 2012

Often when programming, it turns out the best tools for the job are system tools, even in an excellent language like Perl. Perl makes this easy with a number of ways you can allocate work to the underlying system: backtick quotes, qx(), system(), exec(), and open(). Virtually anyone familiar with Perl is familiar with most or all of these ways of executing system commands.

What’s perhaps less familiar, and a bit more subtle, is what Perl really does when handing these off to the underlying system to execute. The docs for exec() tell us the following:

       exec LIST
       exec PROGRAM LIST
[snip]
            If there is more than one argument in LIST, or if LIST is an
            array with more than one value, calls execvp(3) with the
            arguments in LIST.  If there is only one scalar argument or an
            array with one element in it, the argument is checked for shell
            metacharacters, and if there are any, the entire argument is
            passed to the system's command shell for parsing (this is
            "/bin/sh -c" on Unix platforms, but varies on other platforms).

That last parenthetical is a key element when we “shell …

Redirect from HTTP to HTTPS before basic auth

By Ron Phipps
December 22, 2012

While reviewing PCI scan results for a client I found an issue where the scanner had an issue with a private admin URL requesting basic http auth over HTTP. The admin portion of the site has its own authentication method and it is served completely over HTTPS. We have a second layer of protection with basic auth, but the issue is the username and password could be snooped on since it can be accessed via HTTP.

The initial research and attempts at fixing the problem did not work out as intended. Until I found this blog post on the subject. The blog laid out all of the ways that I had already tried and then a new solution was presented.

I followed the recommended hack which is to use SSLRequireSSL in a location matching the admin and a custom 403 ErrorDocument. This 403 ErrorDocument does a bit of munging of the URL and redirects from HTTP to HTTPS. The instructions in the blog did have one issue, in our environment I could not serve the 403 document from the admin, I had to have it in an area that could be accessed by HTTP and by the public. I’m not sure how it could work being served from a URL that requires ssl and is protected by basic auth. The reason that this hack …